American Institute of Certified Public Accountants - Generally Accepted Privacy Principles - 2009

Generally Accepted Privacy Principles and Criteria
Management
Ref.
Management Criteria
1.0
The entity defines, documents, communicates, and assigns accountability for its privacy policies and
procedures.
Policies and Communications
1.1
Illustrative Controls and

Procedures
1.1.0
Privacy Policies
The entity defines and documents its
privacy policies with respect to the
following:
a. Notice (See 2.1.0)
b. Choice and consent (See 3.1.0)
c. Collection (See 4.1.0)
d. Use, retention, and disposal (See
5.1.0)
e. Access (See 6.1.0)
f. Disclosure to third parties (See
7.1.0)
g. Security for privacy (See 8.1.0)
h. Quality (See 9.1.0)
i. Monitoring and enforcement (See
10.1.0)
Privacy policies are documented in

writing and made readily available to
internal personnel and third parties
who need them.
1.1.1
Communication to Internal
Personnel
Privacy policies and the consequences
of noncompliance with such policies
are communicated, at least annually,
to the entitys internal personnel
The entity
periodically communicates to
internal personnel (for example,
on a network or a Web site)
relevant information about the
entitys privacy policies. Changes
Additional Considerations
Privacy policies (as used herein)

include security policies relevant to
the protection of personal
information.
Ref.
Management Criteria
responsible for collecting, using,
retaining, and disclosing personal
information. Changes in privacy
policies are communicated to such
personnel shortly after the changes
are approved.
1.1.2
Responsibility and Accountability

for Policies
Responsibility and accountability are
assigned to a person or group for
developing, documenting,
implementing, enforcing, monitoring,
and updating the entitys privacy
policies. The names of such person or
group and their responsibilities are
communicated to internal personnel.

Procedures
to its privacy policies are

communicated shortly after
approval.
requires internal personnel to
confirm (initially and periodically)
their understanding of the
entitys privacy policies and their
agreement to comply with them.
The entity assigns responsibility for

privacy policies to a designated
person, such as a corporate privacy
officer. (Those assigned responsibility
for privacy policies may be different
from those assigned for other
policies, such as security).
The responsibility, authority, and
accountability of the designated
person or group are clearly
documented. Responsibilities include
the following:
Establishing with management
the standards used to classify
the sensitivity of personal
information and to determine the
level of protection required
Formulating and maintaining the
entitys privacy policies
Monitoring and updating the
entitys privacy policies
Delegating authority for
enforcing the entitys privacy
policies
Monitoring the degree of
The individual identified as being

accountable for privacy should be
from within the entity.
Ref.
Management Criteria

Procedures
compliance and initiating action

to improve the training or
clarification of policies and
practices
A committee of the board of directors
includes privacy periodically in its
regular review of overall corporate
governance.
1.2
1.2.1
Procedures and Controls

Review and Approval
Privacy policies and procedures, and
changes thereto, are reviewed and
approved by management.
1.2.2
Consistency of Privacy Policies

and Procedures With Laws and
Regulations
Policies and procedures are reviewed
and compared to the requirements of
applicable laws and regulations at
least annually and whenever changes
to such laws and regulations are
made. Privacy policies and procedures
are revised to conform with the
requirements of applicable laws and
regulations.
Corporate counsel or the legal

department
determines which privacy laws
and regulations are applicable in
the jurisdictions in which the
entity operates.
identifies other standards
applicable to the entity.
reviews the entitys privacy
policies and procedures to
ensure they are consistent with
the applicable laws, regulations,
and appropriate standards.
1.2.3
Personal Information
Identification and Classification
The types of personal information and
sensitive personal information and
The entity has both an information

classification policy and process,
which include the following:
A classification process, which
Privacy policies and procedures are

reviewed and approved by senior
management or a management
committee.
reviewed at least annually and
updated as needed.
In addition to legal and regulatory
requirements, some entities may
elect to comply with certain
standards, such as those published by
International Organization for
Standardization (ISO), or may be
required to comply with certain
standards, such as those published by
the payment card industry, as a
condition of doing business. Entities
may include such standards as part of
this process.
Ref.
Management Criteria

Procedures
the related processes, systems, and

third parties involved in the handling
of such information are identified.
Such information is covered by the
entitys privacy and related security
policies and procedures.
1.2.4
Risk Assessment
A risk assessment process is used to
establish a risk baseline and to, at
least annually, identify new or
changed risks to personal information
and to develop and update responses
to such risks.
identifies and classifies

information into one or more of
the following categories:
Business confidential
Personal information
(sensitive and other
personal information)
Business general
Public
Identifying processes, systems,
and third parties that handle
personal information
Specific security and privacy
policies and procedures that
apply to each category of
information
A process is in place to periodically

identify the risks to the entitys
personal information. Such risks may
be external (such as loss of
information by vendors or failure to
comply with regulatory requirements)
or internal (such as e-mailing
unprotected sensitive information).
When new or changed risks are
identified, the privacy risk
assessment and the response
strategies are updated.
The process considers factors such as
experience with privacy incident
management, the complaint and
dispute resolution process, and
monitoring activities.
Ideally, the privacy risk assessment

should be integrated with the security
risk assessment and be a part of the
entitys overall enterprise risk
management program. The board or
a committee of the board should
provide oversight and review of the
privacy risk assessment.
Ref.
Management Criteria

Procedures
1.2.5
Consistency of Commitments With

Privacy Policies and Procedures
Internal personnel or advisers review
contracts for consistency with privacy
policies and procedures and address
any inconsistencies.
Both management and the legal

department review all contracts and
service-level agreements for
consistency with the entitys privacy
1.2.6
Infrastructure and Systems

Management
The potential privacy impact is
assessed when new processes
involving personal information are
implemented, and when changes are
made to such processes (including
any such activities outsourced to third
parties or contractors), and personal
information continues to be protected
in accordance with the privacy
policies. For this purpose, processes
involving personal information include
the design, acquisition, development,
implementation, configuration,
modification and management of the
following:
Infrastructure
Systems
Applications
Web sites
Procedures
Products and services
Data bases and
information repositories
Mobile computing and
other similar electronic
devices
The following are used for addressing

privacy impact:
Management assesses the
privacy impact of new and
significantly changed products,
services, business processes,
and infrastructure.
The entity uses a documented
systems development and
change management process for
all information systems and
related technology (including
manual procedures, application
programs, technology
infrastructure, organizational
structure, and the responsibilities
of users and systems personnel),
used to collect, use, retain,
disclose, and destroy personal
information.
The entity assesses planned new
systems and changes for their
potential effect on privacy.
Changes to system components
are tested to minimize the risk of
any adverse effect on the
protection of personal
information. All test data are
anonymized. A controlled test
database is maintained for full
The use of personal information in
Some jurisdictions prohibit the use of

personal information for test and
development purposes unless it has
been anonymized or otherwise
protected to the same level required
in its policies for production
information.
Ref.
Management Criteria
process and system test and
development is prohibited unless such
information is anonymized or
otherwise protected in accordance
with the entitys privacy policies and
procedures.

Procedures
regression testing to ensure that

changes to one program do not
adversely affect other programs
that process personal
information.
Procedures ensure the
maintenance of integrity and
protection of personal
information during migration
from old to new or changed
systems.
Documentation and approval by
the privacy officer, security
officer, business unit manager,
and IT management are required
before implementing the changes
to systems and procedures that
handle personal information,
including those that may affect
security. Emergency changes are
required to maintain the same
level of protection of personal
information; however, they may
be documented and approved on
an after-the-fact basis.
The IT function maintains a listing of

all software that processes personal
information and the respective level,
version, and patches that have been
applied.
Procedures exist to provide that only
authorized, tested, and documented
changes are made to the system.
Ref.
Management Criteria

Procedures
Where computerized systems are

involved, appropriate procedures are
followed, such as the use of separate
development, test, and production
libraries to ensure that access to
personal information is appropriately
restricted.
Personnel responsible for initiating or
implementing new systems and
changes, and users of new or revised
processes and applications, are
provided training and awareness
sessions related to privacy. Specific
roles and responsibilities are assigned
related to privacy.
1.2.7
Privacy Incident and Breach

Management
A documented privacy incident and
breach management program has
been implemented that includes, but
is not limited to, the following:
Procedures for the identification,
management, and resolution of
privacy incidents and breaches
Defined responsibilities
A process to identify incident
severity and determine required
actions and escalation
procedures
A process for complying with
breach laws and regulations,
including stakeholders breach
notification, if required
An accountability process for
A formal, comprehensive privacy

incident and breach management
program has been implemented,
which specifies the following:
Incidents and breaches are
reported to a member of the
breach team, who assesses if it
is privacy or security related, or
both, classifies the severity of
the incident, initiates required
actions, and determines the
required involvement by
individuals who are responsible
for privacy and security.
The chief privacy officer (CPO)
has the overall accountability for
the program and is supported by
the privacy and security steering
committees and assisted by the
Some entities may adopt a breach

notification policy for consistent use
across all jurisdictions in which they
operate. By necessity, such a policy
would, at a minimum, be based on
the most comprehensive legal
requirements in any such jurisdiction.
Ref.
Management Criteria
employees or third parties

responsible for incidents or
breaches with remediation,
penalties, or discipline as
appropriate
A process for periodic review (at
least on an annual basis) of
actual incidents to identify
necessary program updates
based on the following:
Incident patterns and root
cause
Changes in the internal
control environment or
external requirements
(regulation or legislation)
Periodic testing or walkthrough
process (at least on an annual
basis) and associated program
remediation as needed

Procedures
breach team. Incidents and

breaches that do not involve
personal information are the
responsibility of the chief
security officer.
The entity has a privacy breach
notification policy, supported by
(a) a process for identifying the
notification and related
requirements of other applicable
jurisdictions relating to the data
subjects affected by the breach,
(b) a process for assessing the
need for stakeholders breach
notification, if required by law,
regulation, or policy, and (c) a
process for delivering the notice
in a timely manner. The entity
has agreements in place with a
third party to manage the
notification process and provide
credit monitoring services for
individuals, if needed.
The program includes a clear
escalation path, based on the
type or severity, or both, of the
incident, up to executive
management, legal counsel, and
the board.
The program sets forth a process
for contacting law enforcement,
regulatory, or other authorities
when necessary.
Program training for new hires
and team members, and
awareness training for general
Ref.
Management Criteria

Procedures
staff, is conducted annually,
when a significant change in the
program is implemented, and
after any major incident.
The privacy incident and breach
management program also specifies
the following:
After any major privacy incident,
a formal incident evaluation is
conducted by internal audit or
outside consultants.
A quarterly review of actual
incidents is conducted and
required program updates are
identified based on the following:
Incident root cause
Incident patterns
Changes in the internal
control environment and
legislation
Results of the quarterly review
are reported to the privacy
steering committee and annually
to the audit committee.
Key metrics are defined, tracked
and reported to senior
management on a quarterly
basis.
The program is tested at least
every six months and shortly
after the implementation of
significant system or procedural
changes.
Ref.
Management Criteria

Procedures
1.2.8
Supporting Resources
Resources are provided by the entity
to implement and support its privacy
policies.
Management annually reviews the

assignment of personnel, budgets,
and allocation of other resources to
its privacy program.
1.2.9
Qualifications of Internal
Personnel
The entity establishes qualifications
for personnel responsible for
protecting the privacy and security of
personal information and assigns such
responsibilities only to those
personnel who meet these
qualifications and have received
needed training.
The qualifications of internal

personnel responsible for protecting
the privacy and security of personal
information are ensured by
procedures such as the following:
Formal job descriptions
(including responsibilities,
educational and professional
requirements, and organizational
reporting for key privacy
management positions)
Hiring procedures (including the
comprehensive screening of
credentials, background checks,
and reference checking) and
formal employment and
confidentiality agreements
Performance appraisals
(performed by supervisors,
including assessments of
professional development
activities)
1.2.10
Privacy Awareness and Training

A privacy awareness program about
the entitys privacy policies and
related matters, and specific training
for selected personnel depending on
their roles and responsibilities, are
provided.
An interactive online privacy and

security awareness course is required
annually for all employees. New
employees, contractors, and others
are required to complete this course
within the first month following
employment in order to retain their
access privileges.
Ref.
Management Criteria

Procedures
In-depth training is provided which

covers privacy and relevant security
policies and procedures, legal and
regulatory considerations, incident
response, and related topics. Such
training is
required annually for all
employees who have access to
personal information or are
responsible for protection of
personal information.
tailored to the employees job
responsibilities.
supplemented by external
training and conferences.
Attendance at the entitys privacy
training and awareness courses is
monitored.
Training and awareness courses are
reviewed and updated to reflect
current legislative, regulatory,
industry, and entity policy and
procedure requirements.
1.2.11
Changes in Regulatory and

Business Requirements
For each jurisdiction in which the
entity operates, the effect on privacy
requirements from changes in the
following factors is identified and
addressed:
Legal and regulatory
Contracts, including
The entity has an ongoing process in

place to monitor, assess, and address
the effect on privacy requirements
from changes in the following:
Legal and regulatory
environments
Industry requirements (such as
those for the Direct Marketing
Association)
Ideally, these procedures would be

coordinated with the risk assessment
process.
The entity also should consider
emerging and good practices, such as
breach notification in jurisdictions
where none is required.
Ref.
Management Criteria
service-level agreements
Industry requirements
Business operations and
processes
People, roles, and
responsibilities
Technology
Privacy policies and procedures are
updated to reflect changes in
requirements.

Procedures
Contracts, including service-level

agreements with third parties
(changes that alter the privacy
and security related clauses in
contracts are reviewed and
approved by the privacy officer
or legal counsel before they are
executed)
Business operations and
processes
People assigned responsibility for
privacy and security matters
Technology (prior to
implementation)
Copyright 2009 by
American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants.
All rights reserved. Checklists and sample documents contained herein may be reproduced and distributed as part of professional services or within the context of
professional practice, provided that reproduced materials are not in any way directly offered for sale or profit. For information about the procedure for requesting
permission to make copies of any part of this work, please visit www.copyright.com or call (978) 750-8400.
Notice
Ref.
2.0
2.1
2.1.0
2.1.1
Notice Criteria

Procedures
The entity provides notice about its privacy policies and procedures and identifies the purposes for which
personal information is collected, used, retained, and disclosed.
Privacy Policies
The entitys privacy policies address
providing notice to individuals.
Communication to Individuals
Notice is provided to individuals
regarding the following privacy
policies:
a. Purpose for collecting personal
information
b. Choice and consent
(See 3.1.1)
c. Collection (See 4.1.1)
d. Use, retention, and disposal
(See 5.1.1)
e. Access (See 6.1.1)
f. Disclosure to third parties (See
7.1.1)
g. Security for privacy (See 8.1.1)
h. Quality (See 9.1.1)
i. Monitoring and enforcement (See
10.1.1)
If personal information is collected
from sources other than the
individual, such sources are described
in the notice.
The entitys privacy notice

describes the personal
information collected, the
sources of such information, and
purposes for which it is collected.
indicates the purpose for
collecting sensitive personal
information and whether such
purpose is part of a legal
requirement.
describes the consequences, if
any, of not providing the
requested information.
indicates that certain information
may be developed about
individuals, such as buying
patterns.
may be provided in various ways
(for example, in a face-to-face
conversation, on a telephone
interview, on an application form
or questionnaire, or
electronically). However, written
notice is the preferred method.
Notice also may describe situations in

which personal information will be
disclosed, such as the following:
Certain processing for purposes
of public security or defense
Certain processing for purposes
of public health or safety
When allowed or required by law
The purpose described in the notice
should be stated in such a manner
that the individual can reasonably
understand the purpose and how the
personal information is to be used.
Such purpose should be consistent
with the business purpose of the
entity and not overly broad.
Consideration should be given to
providing a summary level notice with
links to more detailed sections of the
policy.
Ref.
Notice Criteria
2.2
2.2.1

Provision of Notice
Notice is provided to the individual
about the entitys privacy policies and
procedures (a) at or before the time
personal information is collected, or
as soon as practical thereafter, (b) at
or before the entity changes its
privacy policies and procedures, or as
soon as practical thereafter, or (c)
before personal information is used
for new purposes not previously
identified.

Procedures
The privacy notice is

readily accessible and available
when personal information is first
collected from the individual.
provided in a timely manner
(that is, at or before the time
personal information is collected,
or as soon as practical
thereafter) to enable individuals
to decide whether or not to
submit personal information to
the entity.
clearly dated to allow individuals
to determine whether the notice
has changed since the last time
they read it or since the last time
they submitted personal
information to the entity.
See 3.2.2, Consent for New Purposes

and Uses.
In addition, the entity

tracks previous iterations of the
entitys privacy policies and
procedures.
informs individuals of a change
to a previously communicated
privacy notice, for example, by
posting the notification on the
entitys Web site, by sending
written notice via postal mail, or
by sending an e-mail.
documents that changes to
privacy policies and procedures
were communicated to
individuals.
Some regulatory requirements

indicate that a privacy notice is to be
provided on a periodic basis, for
example, annually in the GrammLeach-Bliley Act (GLBA).
Ref.
Notice Criteria

Procedures
2.2.2
Entities and Activities Covered

An objective description of the
entities and activities covered by the
privacy policies and procedures is
included in the entitys privacy notice.
The privacy notice describes the

particular entities, business
segments, locations, and types of
information covered, such as:
Operating jurisdictions (legal and
political)
Business segments and affiliates
Lines of business
Types of third parties (for
example, delivery companies and
other types of service providers)
Types of information (for
example, information about
customers and potential
customers)
Sources of information (for
example, mail order or online)
The entity informs individuals when

they might assume they are covered
by the entitys privacy policies but, in
fact, are no longer covered (for
example, linking to another Web site
that is similar to the entitys, or using
services on the entitys premises
provided by third parties).
2.2.3
Clear and Conspicuous

The entitys privacy notice is
conspicuous and uses clear language.
The privacy notice is

in plain and simple language.
appropriately labeled, easy to
see, and not in unusually small
print.
linked to or displayed on the Web
site at points of data collection.
available in the national
languages used on the site or in
If multiple notices are used for

different subsidiaries or segments of
an entity, similar formats are
encouraged to avoid consumer
confusion and allow consumers to
identify any differences.
Some regulations may contain specific
information that a notice must
Ref.
Notice Criteria

Procedures
languages required by law.
contain.
Illustrative notices are often available
for certain industries and types of
collection, use, retention, and
disclosure.
Copyright 2009 by
Choice and Consent

Ref.
3.0
3.1
3.1.0
3.1.1
Choice and Consent Criteria

Procedures
The entity describes the choices available to the individual and obtains implicit or explicit consent with respect
to the collection, use, and disclosure of personal information.
Privacy Policies
the choices available to individuals
and the consent to be obtained.
Individuals are informed about (a)
the choices available to them with
respect to the collection, use, and
disclosure of personal information,
and (b) that implicit or explicit
consent is required to collect, use,
and disclose personal information,
unless a law or regulation specifically
requires or allows otherwise.
The entitys privacy notice describes,

in a clear and concise manner, the
following:
The choices available to the
individual regarding the
collection, use, and disclosure of
The process an individual should
follow to exercise these choices
(for example, checking an opt
out box to decline receiving
marketing materials)
The ability of, and process for,
an individual to change contact
preferences
The consequences of failing to
provide personal information
required for a transaction or
service
Individuals are advised of the
following:
Personal information not
essential to the purposes
Some laws and regulations (such as

Principle 11, Limits on disclosure of
personal information, section 1 of
the Australian Privacy Act of 1988)
provide specific exemptions for the
entity not to obtain the individuals
consent. Examples of such situations
include the following:
The record keeper believes, on
reasonable grounds, that use of
the information for that other
purpose is necessary to prevent
or lessen a serious and imminent
threat to the life or health of the
individual concerned or another
person.
Use of the information for that
other purpose is required or
authorized by or under law.
Ref.

Procedures
identified in the privacy notice

need not be provided.
Preferences may be changed,
and consent may be withdrawn
at a later time, subject to legal
or contractual restrictions and
reasonable notice.
The type of consent required depends

on the nature of the personal
information and the method of
collection (for example, an individual
subscribing to a newsletter gives
implied consent to receive
communications from the entity).
3.1.2
Consequences of Denying or
Withdrawing Consent
When personal information is
collected, individuals are informed of
the consequences of refusing to
provide personal information or of
denying or withdrawing consent to
use personal information for purposes
identified in the notice.
At the time of collection, the entity

informs individuals of the following:
About the consequences of
refusing to provide personal
information (for example,
transactions may not be
processed)
About the consequences of
denying or withdrawing consent
(for example, opting out of
receiving information about
products and services may result
in not being made aware of sales
promotions)
About how they will or will not be
affected by failing to provide
more than the minimum required
personal information (for
example, services or products
will still be provided)
Ref.
3.2
3.2.1

Implicit or Explicit Consent
Implicit or explicit consent is obtained
from the individual at or before the
time personal information is collected
or soon after. The individuals
preferences expressed in his or her
consent are confirmed and
implemented.

Procedures
The entity
3.2.2
Consent for New Purposes and

Uses
If information that was previously
collected is to be used for purposes
not previously identified in the
privacy notice, the new purpose is
obtains and documents an

individuals consent in a timely
manner (that is, at or before the
time personal information is
collected or soon after).
confirms an individuals
preferences (in writing or
electronically).
documents and manages
changes to an individuals
preferences.
ensures that an individuals
preferences are implemented in
a timely fashion.
addresses conflicts in the records
about an individuals preferences
by providing a process for users
to notify and challenge a
vendors interpretation of their
contact preferences.
ensures that the use of personal
information, throughout the
entity and by third parties, is in
accordance with an individuals
preferences.
When personal information is to be

used for a purpose not previously
specified, the entity
notifies the individual and
documents the new purpose.
obtains and documents consent
Ref.

documented, the individual is notified,
and implicit or explicit consent is
obtained prior to such new use or
purpose.
3.2.3
Explicit Consent for Sensitive

Information
Explicit consent is obtained directly
from the individual when sensitive
personal information is collected,
used, or disclosed, unless a law or
regulation specifically requires
otherwise.

Procedures
or withdrawal of consent to use

the personal information for the
new purpose.
ensures that personal
information is being used in
accordance with the new purpose
or, if consent was withdrawn, not
so used.
The entity collects sensitive

information only if the individual
provides explicit consent. Explicit
consent requires that the individual
affirmatively agree, through some
action, to the use or disclosure of the
sensitive information. Explicit consent
is obtained directly from the
individual and documented, for
example, by requiring the individual
to check a box or sign a form. This is
sometimes referred to as opt in.
Canadas Personal Information

Protection and Electronic Documents
Act (PIPEDA), Schedule 1, clause
4.3.6, states that an organization
should generally seek explicit consent
when the information is likely to be
considered sensitive.
Many jurisdictions prohibit the
collection of sensitive data, unless
specifically allowed. For example, in
the EU member state of Greece,
Article 7 of Greeces Law on the
protection of individuals with regard
to the processing of personal data
states, The collection and processing
of sensitive data is forbidden.
However, a permit to collect and
process sensitive data may be
obtained.
Some jurisdictions consider
government-issued personal
identifiers, for example, Social
Security numbers or Social Insurance
numbers, to be sensitive information.
Ref.
3.2.4
Consent for Online Data Transfers

To or From an Individuals
Computer or Other Similar
Electronic Devices
Consent is obtained before personal
information is transferred to or from
an individuals computer or other
similar device.

Procedures
The entity requests customer
permission to store, alter, or copy
personal information (other than
cookies) in the customer's computer
or other similar electronic device.
If the customer has indicated to the
entity that it does not want cookies,
the entity has controls to ensure that
cookies are not stored on the
customer's computer or other similar
electronic device.
prevent or detect the introduction of
software that is designed to mine or
extract information from a computer
or other similar electronic device and
therefore may be used to extract
personal information, for example,
spyware.
Entities will not download software

that will transfer personal information
without obtaining permission.
Copyright 2009 by
Collection
Ref.
Collection Criteria

Procedures
4.0
4.1
4.1.0
The entity collects personal information only for the purposes identified in the notice.
Privacy Policies
Some jurisdictions, such as some
countries in Europe, require entities
the collection of personal information.
that collect personal information to
register with their regulatory body.
4.1.1
Individuals are informed that personal
information is collected only for the
purposes identified in the notice.
The entitys privacy notice discloses

the types of personal information
collected, the sources and methods
used to collect personal information,
and whether information is developed
or acquired about individuals, such as
buying patterns.
4.1.2
Types of Personal Information

Collected and Methods of
Collection
The types of personal information
collected and the methods of
collection, including the use of
cookies or other tracking techniques,
are documented and described in the
privacy notice.
Types of personal information

collected include the following:
Financial (for example, financial
account information)
Health (for example, information
about physical or mental status
or history)
Demographic (for example, age,
income range, social geocodes)
Methods of collecting and third-party
sources of personal information
include the following:
Credit reporting agencies
Over the telephone
Via the Internet using forms,
cookies, or Web beacons
The entitys privacy notice discloses
Some jurisdictions, such as those in

the EU, require that individuals have
the opportunity to decline the use of
cookies.
Ref.
Collection Criteria

Procedures
whether it uses cookies and Web
beacons and how they are used. The
notice also describes the
consequences if the cookie is refused.
4.2
4.2.1

Collection Limited to Identified
Purpose
The collection of personal information
is limited to that necessary for the
Systems and procedures are in place

to
specify the personal information
essential for the purposes
identified in the notice and
differentiate it from optional
periodically review the entitys
program or service needs for
example, once every five years
or when changes to the program
or service are made).
obtain explicit consent when
sensitive personal information is
collected (see 3.2.3, Explicit
Consent for Sensitive
Information).
monitor that the collection of
personal information is limited to
that necessary for the purposes
and that all optional data is
identified as such.
Ref.
Collection Criteria

Procedures
4.2.1
Collection Limited to Identified

Purpose
The collection of personal information
is limited to that necessary for the

to
specify the personal information
essential for the purposes
identified in the notice and
differentiate it from optional
periodically review the entitys
program or service needs for
example, once every five years
or when changes to the program
or service are made).
obtain explicit consent when
sensitive personal information is
collected (see 3.2.3, Explicit
Consent for Sensitive
Information).
monitor that the collection of
personal information is limited to
that necessary for the purposes
and that all optional data is
identified as such.
4.2.2
Collection by Fair and Lawful

Means
Methods of collecting personal
information are reviewed by
management before they are
implemented to confirm that personal
information is obtained (a) fairly,
without intimidation or deception, and
(b) lawfully, adhering to all relevant
rules of law, whether derived from
The entitys management, privacy

officer, and legal counsel, review the
methods of collection and any
changes thereto.
The following may be considered

deceptive practices:
To use tools, such as cookies and
Web beacons, on the entitys
Web site to collect personal
information without providing
notice to the individual
To link information collected
during an individuals visit to a
Web site with personal
Ref.
Collection Criteria

Procedures
statute or common law, relating to

the collection of personal information.
information from other sources

without providing notice to the
individual
To use a third party to collect
information in order to avoid
providing notice to individuals
Entities should consider legal and

regulatory requirements in
jurisdictions other than the one in
which they operate (for example, an
entity in Canada collecting personal
information about Europeans may be
subject to certain European legal
requirements).
A review of complaints may help to
identify whether unfair or unlawful
practices exist.
4.2.3
Collection From Third Parties

Management confirms that third
parties from whom personal
information is collected (that is,
sources other than the individual) are
reliable sources that collect
information fairly and lawfully.
The entity
performs due diligence before
establishing a relationship with a
third-party data provider.
reviews the privacy policies,
collection methods, and types of
consents of third parties before
accepting personal information
from third-party data sources.
Contracts include provisions requiring

personal information to be collected
fairly and lawfully and from reliable
sources.
Ref.
4.2.4
Collection Criteria
Information Developed about
Individuals
Individuals are informed if the entity
develops or acquires additional
information about them for its use.

Procedures
The entitys privacy notice indicates

that, if applicable, it may develop and
acquire information about the
individual using third-party sources,
browsing, credit and purchasing
history, and so on.
Copyright 2009 by
Use, Retention, and Disposal

Ref.
5.0
5.1
5.1.0
5.1.1

Criteria

Procedures
The entity limits the use of personal information to the purposes identified in the notice and for which the
individual has provided implicit or explicit consent. The entity retains personal information for only as long as
necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately
disposes of such information.
Privacy Policies
the use, retention, and disposal of
information is (a) used only for the
purposes identified in the notice and
only if the individual has provided
implicit or explicit consent, unless a
law or regulation specifically requires
otherwise, (b) retained for no longer
than necessary to fulfill the stated
purposes, or for a period specifically
required by law or regulation, and (c)
disposed of in a manner that prevents
loss, theft, misuse, or unauthorized
access.
The entitys privacy notice describes

the following uses of personal
information, for example:
Processing business transactions
such as claims and warranties,
payroll, taxes, benefits, stock
options, bonuses, or other
compensation schemes
Addressing inquiries or
complaints about products or
services, or interacting during
the promotion of products or
services
Product design and development,
or purchasing of products or
services
Participation in scientific or
medical research activities,
marketing, surveys, or market
analysis
Personalization of Web sites or
downloading software
Legal requirements
Direct marketing
Ref.

Criteria

Procedures
The entitys privacy notice explains

that personal information will be
retained only as long as necessary to
fulfill the stated purposes, or for a
period specifically required by law or
regulation and thereafter will be
disposed of securely or made
anonymous so that it cannot be
identified to any individual.
5.2
5.2.1

Use of Personal Information
Personal information is used only for
the purposes identified in the notice
and only if the individual has provided
implicit or explicit consent, unless a
law or regulation specifically requires
otherwise.
5.2.2
Retention of Personal Information

Personal information is retained for
no longer than necessary to fulfill the
stated purposes unless a law or
regulation specifically requires
otherwise.

to ensure that personal information is
used
in conformity with the purposes
identified in the entitys privacy
notice.
in agreement with the consent
received from the individual.
in compliance with applicable
laws and regulations.
Some regulations have specific

provisions concerning the use of
personal information. Examples are
the GLBA, the Health Insurance
Portability and Accountability Act
(HIPAA), and the Childrens Online
Privacy Protection Act (COPPA).
The entity
documents its retention policies
and disposal procedures.
retains, stores, and disposes of
archived and backup copies of
records in accordance with its
retention policies.
ensures personal information is
not kept beyond the standard
retention time unless a justified
business or legal reason for
doing so exists.
Some laws specify the retention

period for personal information. For
example, HIPAA has retention
requirements on accounting for
disclosures of personal health
informationthree years for
electronic health records, and six
years for nonelectronic health
records.
Other statutory record retention
requirements may exist; for example,
certain data may need to be retained
Ref.
5.2.3

Criteria
Disposal, Destruction and

Redaction of Personal
Information
Personal information no longer
retained is anonymized, disposed of,
or destroyed in a manner that
prevents loss, theft, misuse, or
unauthorized access.

Procedures
Contractual requirements are

considered when establishing
retention practices when they may be
exceptions to normal policies.
for tax purposes or in accordance

with employment laws.
The entity
erases or destroys records in
accordance with the retention
policies, regardless of the
method of storage (for example,
electronic, optical media, or
paper based).
disposes of original, archived,
backup and ad hoc or personal
copies of records in accordance
with its destruction policies.
documents the disposal of
within the limits of technology,
locates and removes or redacts
specified personal information
about an individual as required,
for example, removing credit
card numbers after the
transaction is complete.
regularly and systematically
destroys, erases, or makes
anonymous personal information
no longer required to fulfill the
identified purposes or as
required by laws and regulations.

using the services of companies that
provide secure destruction services
for personal information. Certain of
these companies will provide a
certificate of destruction where
needed.
Contractual requirements are

considered when establishing
disposal, destruction, and redaction
practices if they may result in
Certain archiving techniques, such as

DVDs, CDs, microfilm, or microfiche
may not permit the removal of
individual records without destruction
of the entire database contained on
such media.
Ref.

Criteria

Procedures
exception to the entitys normal

policies.
Copyright 2009 by
Access
Ref.
Access Criteria

Procedures
6.0
6.1
6.1.0
The entity provides individuals with access to their personal information for review and update.
Privacy Policies
providing individuals with access to
their personal information.
6.1.1
Individuals are informed about how
they may obtain access to their
personal information to review,
update, and correct that information.
6.2
6.2.1

Access by Individuals to Their
Individuals are able to determine
whether the entity maintains personal
information about them and, upon
request, may obtain access to their

explains how individuals may
gain access to their personal
information and any costs
associated with obtaining such
access.
outlines the means by which
individuals may update and
correct their personal
information (for example, in
writing, by phone, by e-mail, or
by using the entitys Web site).
explains how disagreements
related to personal information
may be resolved.
Procedures are in place to

determine whether the entity
holds or controls personal
information about an individual.
communicate the steps to be
taken to gain access to the
respond to an individuals
Some laws and regulations specify

the following:
Provisions and requirements for
providing access to personal
information (for example, HIPAA)
Requirements that requests for
access to personal information
be submitted in writing
Ref.
Access Criteria

Procedures
6.2.2
Confirmation of an Individuals
Identity
The identity of individuals who
request access to their personal
information is authenticated before
they are given access to that
information.
request on a timely basis.

provide a copy of personal
information, upon request, in
printed or electronic form that is
convenient to both the individual
and the entity.
record requests for access and
actions taken, including denial of
access and unresolved
complaints and disputes.
Employees are adequately trained to

authenticate the identity of
individuals before granting the
following:
Access to their personal
information
Requests to change sensitive or
other personal information (for
example, to update information
such as address or bank details)
The entity
does not use government-issued
identifiers (for example, Social
Security numbers or Social
Insurance numbers) for
authentication.
mails information about a change
request only to the address of
record or, in the case of a
change of address, to both the
old and new addresses.
requires that a unique user
identification and password (or
equivalent) be used to access
The extent of authentication depends

on the type and sensitivity of
personal information that is made
available. Different techniques may
be considered for the different
channels, such as the following:
Web
Interactive voice response
system
Call center
In person
Ref.
Access Criteria

Procedures
user account information online.

6.2.3
Understandable Personal
Information, Time Frame, and
Cost
Personal information is provided to
the individual in an understandable
form, in a reasonable timeframe, and
at a reasonable cost, if any.
The entity
provides personal information to
the individual in a format that is
understandable (for example,
not in code, not in a series of
numbers, not in overly technical
language or other jargon), and in
a form convenient to both the
individual and the entity.
makes a reasonable effort to
locate the personal information
requested and, if personal
information cannot be found,
keeps sufficient records to
demonstrate that a reasonable
search was made.
takes reasonable precautions to
ensure that personal information
released does not identify
another person, directly or
indirectly.
provides access to personal
information in a timeframe that
is similar to the entitys normal
response times for other
business transactions, or as
permitted or required by law.
provides access to personal
information in archived or
backup systems and media.
informs individuals of the cost of
access at the time the access
request is made or as soon as
practicable thereafter.
Entities may provide individuals with

access to their personal information
at no cost or at a minimal cost
because of the potential business and
customer-relationship benefits, as
well as the opportunity to enhance
the quality of the information.
Ref.
Access Criteria

Procedures
charges the individual for access

to personal information at an
amount, if any, which is not
excessive in relation to the
entitys cost of providing access.
provides an appropriate physical
space to inspect personal
information.
6.2.4
Denial of Access
Individuals are informed, in writing,
of the reason a request for access to
their personal information was
denied, the source of the entitys
legal right to deny such access, if
applicable, and the individuals right,
if any, to challenge such denial, as
specifically permitted or required by
law or regulation.
The entity
outlines the reasons why access
to personal information may be
denied.
records all denials of access and
unresolved complaints and
disputes.
provides the individual with
partial access in situations in
which access to some of his or
her personal information is
justifiably denied.
provides the individual with a
written explanation about why
access to personal information is
denied.
provides a formal escalation
(appeal) process if access to
personal information is denied.
conveys the entitys legal rights
and the individuals right to
challenge, if applicable.
Some laws and regulations (for

example, Principle 5, Information
relating to records kept by recordkeeper, point 2 of the Australian
Privacy Act of 1988, and PIPEDA,
Sections 8.(4), 8.(5), 8.(7), 9, 10,
and 28) specify the situations in
which access can be denied, the
process to be followed (such as
notifying the customer of the denial in
writing within 30 days), and potential
penalties or sanctions for lack of
compliance.
6.2.5
Updating or Correcting Personal

Information
Individuals are able to update or
correct personal information held by
The entity
describes the process an
individual must follow to update
or correct personal information
In some jurisdictions (for example,

PIPEDA, Schedule 1, clauses 4.5.2
and 4.5.3), personal information
cannot be erased, but an entity is
Ref.
Access Criteria
the entity. If practical and
economically feasible to do so, the
entity provides such updated or
corrected information to third parties
that previously were provided with
the individuals personal information.

Procedures
6.2.6
Statement of Disagreement
Individuals are informed, in writing,
about the reason a request for
correction of personal information
was denied, and how they may
appeal.
records (for example, in writing,

by phone, by e-mail, or by using
the entitys Web site).
verifies the accuracy and
completeness of personal
information that an individual
updates or changes (for
example, by edit and validation
controls, and forced completion
of mandatory fields).
records the date, time, and
identification of the person
making the change if the entitys
employee is making a change on
behalf of an individual.
notifies third parties to whom
personal information has been
disclosed of amendments,
erasures, or blocking of personal
information, if it is possible and
reasonable to do so.
If an individual and an entity disagree

about whether personal information is
complete and accurate, the individual
may ask the entity to accept a
statement claiming that the personal
information is not complete and
accurate.
The entity
documents instances where an
individual and the entity disagree
about whether personal
information is complete and
accurate.
bound to cease further processing.
See 10.1.1, Communications to

Individuals, 10.2.1, Inquiry,
Complaint, and Dispute Process, and
10.2.2, Dispute Resolution and
Recourse.
Some regulations (for example,
HIPAA) have specific requirements for
denial of requests and handling of
disagreements from individuals.
If a challenge is not resolved to the
satisfaction of the individual, when
appropriate, the existence of such
Ref.
Access Criteria

Procedures
informs the individual, in writing,

of the reason a request for
correction of personal
information is denied, citing the
individuals right to appeal.
informs the individual, when
access to personal information is
requested or when access is
actually provided, that the
statement of disagreement may
include information about the
nature of the change sought by
the individual and the reason for
its refusal by the entity.
if appropriate, notifies third
parties who have previously been
provided with personal
information that there is a
disagreement and the nature of
the disagreement.
challenge is communicated to third
parties having access to the
information in question.
Copyright 2009 by
Disclosure to Third Parties

Ref.
7.0
7.1
7.1.0

Criteria

Procedures
The entity discloses personal information to third parties only for the purposes identified in the notice and
with the implicit or explicit consent of the individual.
Privacy Policies
the disclosure of personal information
to third parties.
7.1.1
information is disclosed to third
parties only for the purposes
identified in the notice and for which
the individual has provided implicit or
explicit consent unless a law or
regulation specifically allows or
requires otherwise.

describes the practices related to
the sharing of personal
information (if any) with third
parties and the reasons for
information sharing.
identifies third parties or classes
of third parties to whom personal
information is disclosed.
informs individuals that personal
information is disclosed to third
parties only for the purposes (a)
identified in the notice, and (b)
for which the individual has
provided implicit or explicit
consent, or as specifically
allowed or required by law or
regulation.
7.1.2
Communication to Third Parties

Privacy policies or other specific
instructions or requirements for
handling personal information are
communicated to third parties to
whom personal information is
disclosed.
Prior to sharing personal information

with a third party, the entity
communicates its privacy policies or
other specific instructions or
requirements for handling personal
information to, and obtains a written
agreement from the third party that
The entitys privacy notice may

disclose the following:
The process used to assure the
privacy and security of personal
information that has been
disclosed to a third party
How personal information shared
with a third party will be kept up
to date, so that outdated or
incorrect information shared with
a third party will be changed if
the individual has changed his or
her information
Ref.

Criteria

Procedures
its privacy practices over the

disclosed personal information adhere
to those policies or requirements.
7.2
7.2.1
7.2.2

Disclosure of Personal
Information
Personal information is disclosed to
third parties only for the purposes
described in the notice, and for which
the individual has provided implicit or
explicit consent, unless a law or
regulation specifically requires or
allows otherwise.
Protection of Personal
Information
Personal information is disclosed only
to third parties who have agreements
with the entity to protect personal
information in a manner consistent
with the relevant aspects of the
entitys privacy policies or other
specific instructions or requirements.
The entity has procedures in place to
evaluate that the third parties have
effective controls to meet the terms

to
prevent the disclosure of
personal information to third
parties unless an individual has
given implicit or explicit consent
for the disclosure.
document the nature and extent
of personal information disclosed
to third parties.
test whether disclosure to third
parties is in compliance with the
procedures, or as specifically
allowed or required by law or
regulation.
document any third-party
disclosures for legal reasons.
Personal information may be

disclosed through various legal
processes to law enforcement or
regulatory agencies.
When providing personal information

to third parties, the entity enters into
contracts that require a level of
protection of personal information
equivalent to that of the entitys. In
doing so, the entity
limits the third partys use of
personal information to purposes
necessary to fulfill the contract.
communicates the individuals
preferences to the third party.
refers any requests for access or
The entity is responsible for personal

information in its possession or
custody, including information that
has been transferred to a third party.
Some laws and regulations have

specific provisions for the disclosure
of personal information. Some permit
disclosure of personal information
without consent whereas others
require verifiable consent.
Some regulations (for example, from

the U.S. federal financial regulatory
agencies) require that an entity take
reasonable steps to oversee
appropriate service providers by
exercising appropriate due diligence
in the selection of service providers.
Ref.

Criteria

Procedures
of the agreement, instructions, or

requirements.
complaints about the personal

information transferred by the
entity to a designated privacy
executive, such as a corporate
privacy officer.
specifies how and when third
parties are to dispose of or
return any personal information
provided by the entity.
The entity evaluates compliance with

such contract using one or more of
the following approaches to obtain an
increasing level of assurance
depending on its risk assessment:
The third party responds to a
questionnaire about their
practices.
The third party self-certifies that
its practices meet the entitys
requirements based on internal
audit reports or other
procedures.
The entity performs an onsite
evaluation of the third party.
The entity receives an audit or
similar report provided by an
independent auditor.
7.2.3
New Purposes and Uses

Personal information is disclosed to
third parties for new purposes or uses
only with the prior implicit or explicit
consent of the individual.

to
notify individuals and obtain their
consent prior to disclosing
personal information to a third
party for purposes not identified
in the privacy notice.
Some jurisdictions, including some

countries in Europe, require entities
that transfer personal information to
register with their regulatory body
prior to transfer.
PIPEDA requires a comparable level of
protection while the personal
information is being processed by a
third party.
Article 25 of the EUs Directive
requires that such transfers take
place only where the third party
ensures an adequate level of
protection.
Other types of onward transfers

include transfers to third parties who
are
subsidiaries or affiliates.
providing a service requested by
the individual.
law enforcement or regulatory
Ref.

Criteria

Procedures
document whether the entity has

notified the individual and
received the individuals consent.
monitor that personal
information is being provided to
third parties only for uses
specified in the privacy notice.
agencies.
in another country and may be
subject to other requirements.
Ref.
7.2.4

Criteria

Procedures
Misuse of Personal Information

by a Third Party
The entity takes remedial action in
response to misuse of personal
information by a third party to whom
the entity has transferred such
information.
The entity
reviews complaints to identify
indications of any misuse of
personal information by third
parties.
responds to any knowledge of a
third party using or disclosing
personal information in variance
with the entitys privacy policies
and procedures or contractual
arrangements.
mitigates, to the extent
practicable, any harm caused by
the use or disclosure of personal
information by the third party in
violation of the entitys privacy
policies and procedures (for
example, notify individuals
affected, attempt to recover
information disclosed to others,
void affected numbers and
reissue new numbers).
takes remedial action in the
event that a third party misuses
example, contractual clauses
address the ramification of
misuse of personal information).
Copyright 2009 by
Security for Privacy

Ref.
Security for Privacy Criteria

Procedures
8.0
8.1
8.1.0
The entity protects personal information against unauthorized access (both

Privacy Policies
Privacy policies adequately address
The entitys privacy policies (including
security measures to safeguard the
any relevant security policies),
privacy of personal information
address the security of personal
whether in electronic, paper, or other
information.
forms. Security measures are
consistent with the sensitivity of the
8.1.1
Individuals are informed that
precautions are taken to protect
The entitys privacy notice describes

the general types of security
measures used to protect the
individuals personal information, for
example:
Employees are authorized to
access personal information
based on job responsibilities.
Authentication is used to prevent
unauthorized access to personal
information stored electronically.
Physical security is maintained
over personal information stored
in hard copy form, and
encryption is used to prevent
unauthorized access to personal
information sent over the
Internet.
Additional security safeguards
are applied to sensitive
information.
physical and logical).
Personal information in any location
under control of the entity or deemed
to be under control of the entity must
be protected.
Users, management, providers, and

other parties should strive to develop
and adopt good privacy practices and
to promote conduct that recognizes
security needs and respects the
legitimate interests of others.
disclosing in the privacy notice the
security obligations of individuals,
such as keeping user IDs and
passwords confidential and reporting
security compromises.
limiting the disclosure of detailed
security procedures so as not to
compromise internal security.
Ref.
8.2
8.2.1

Information Security Program
A security program has been
developed, documented, approved,
and implemented that includes
administrative, technical, and physical
safeguards to protect personal
information from loss, misuse,
unauthorized access, disclosure,
alteration, and destruction. The
security program should address, but
not be limited to, the following areas 1
insofar as they relate to the security
of personal information:
a. Risk assessment and treatment
[1.2.4]

Procedures
The entitys security program
addresses the following matters
related to protection of personal
information:
Periodic risk assessments
Identification of all types of

personal information and the
related processes, systems, and
third parties that are involved in
the handling of such information
Identification and documentation

of the security requirements of
authorized users
Allowing access, the nature of

that access, and who authorizes
such access
b. Security policy [8.1.0]

c. Organization of information
security [sections 1, 7, and 10]
Preventing unauthorized access

by using effective physical and
logical access controls
The procedures to add new

users, modify the access levels
of existing users, and remove
users who no longer need access
Assignment of responsibility and

accountability for security
Assignment of responsibility and

accountability for system
d. Asset management [section 1]

e. Human resources security
[section 1]
f.
Physical and environmental

security [8.2.3 and 8.2.4]
g. Communications and operations

management [sections 1, 7, and
10]
h. Access control [sections 1, 8.2,
Safeguards employed may consider

the nature and sensitivity of the data,
as well as the size and complexity of
the entitys operations. For example,
the entity may protect personal
information and other sensitive
information to a level greater than it
applies for other information.
HIPAA) provide a greater level of
detail and guidance on specific
security measures to be considered
and implemented.
Some security rules (for example,
GLBA-related rules for safeguarding
information) require the following:
Board (or committee or
individual appointed by the
board) approval and oversight of
the entitys information security
program.
That an entity take reasonable
steps to oversee appropriate
service providers by
exercising appropriate
due diligence in the
selection of service
1 These areas are drawn from ISO/IEC 27002:2005, Information technologySecurity techniquesCode of practice for information security management.
Permission is granted by the American National Standards Institute (ANSI) on behalf of the International Organization for Standardization (ISO). Copies of ISO/IEC
27002 can be purchased from ANSI in the United States at http://webstore.ansi.org/ and in Canada from the Standards Council of Canada at
www.standardsstore.ca/eSpecs/index.jsp. It is not necessary to meet all of the criteria of ISO/IEC 27002:2005 to satisfy Generally Accepted Privacy Principles
criterion 8.2.1. The references associated with each area indicate the most relevant Generally Accepted Privacy Principles criteria for this purpose.
Ref.

Procedures
and 10]
changes and maintenance
i.
Information systems acquisition,

development, and maintenance
[1.2.6]
Protecting operating system and

network software and system
files
j.
Information security incident

management [1.2.7]
Protecting cryptographic tools

and information
k. Business continuity management

[section 8.2]
Implementing system software

upgrades and patches
Testing, evaluating, and

authorizing system components
before implementation
Addressing how complaints and

requests relating to security
issues are resolved
Handling errors and omissions,

security breaches, and other
incidents
Procedures to detect actual and

attempted attacks or intrusions
into systems and to proactively
test security procedures (for
example, penetration testing)
Allocating training and other

resources to support its security
policies
Provision for the handling of

exceptions and situations not
specifically addressed in its
system processing integrity and
related system security policies
Business continuity management

and disaster recovery plans and
related testing
Provision for the identification of,
l.
Compliance [sections 1 and 10]
providers.
requiring service
providers by contract to
implement and maintain
appropriate safeguards
for the personal
information at issue.
The payment card industry has

established specific security and
privacy requirements for cardholder
information from certain brands.
Ref.

Procedures
and consistency with, applicable
laws and regulations, defined
commitments, service-level
agreements, and other contracts
A requirement that users,

management, and third parties
confirm (initially and annually)
their understanding of and
agreement to comply with the
procedures related to the
security of personal information
Procedures to cancel access

privileges and ensure return of
computers and other devices
used to access or store personal
information when personnel are
terminated
The entitys security program

prevents access to personal
information in computers, media, and
paper based information that are no
longer in active use by the
organization (for example,
computers, media, and paper-based
information in storage, sold, or
otherwise disposed of).
Ref.
8.2.2

Logical Access Controls
Logical access to personal information
is restricted by procedures that
address the following matters:
a. Authorizing and registering
internal personnel and
individuals
b. Identifying and authenticating
internal personnel and
individuals
c. Making changes and updating
access profiles
d. Granting privileges and
permissions for access to IT
infrastructure components and
e. Preventing individuals from
accessing anything other than
their own personal or sensitive
information
f.
Limiting access to personal

information to only authorized
internal personnel based upon
their assigned roles and
responsibilities
g. Distributing output only to

authorized internal personnel
h. Restricting logical access to
offline storage, backup data,
systems, and media
i.
Restricting access to system

configurations, superuser
functionality, master passwords,
powerful utilities, and security

Procedures

to
establish the level and nature of
access that will be provided to
users based on the sensitivity of
the data and the users
legitimate business need to
access the personal information.
authenticate users, for example,
by user name and password,
certificate, external token, or
biometrics before access is
granted to systems handling
require enhanced security
measures for remote access,
such as additional or dynamic
passwords, callback procedures,
digital certificates, secure ID
cards, virtual private network
(VPN), or properly configured
firewalls.
implement intrusion detection
and monitoring systems.
User authorization processes consider

the following:
How the data is accessed
(internal or external network), as
well as the media and technology
platform of storage
Access to paper and backup
media containing personal
information
Denial of access to joint accounts
without other methods to
authenticate the actual
individuals
Some jurisdictions require stored data
(at rest) to be encrypted or otherwise
obfuscated.
Ref.

Procedures
devices (for example, firewalls)

j.
8.2.3
Preventing the introduction of

viruses, malicious code, and
unauthorized software
Physical Access Controls

Physical access is restricted to
personal information in any form
(including the components of the
entitys system(s) that contain or
protect personal information).
8.2.4
Environmental Safeguards
Personal information, in all forms, is
protected against accidental
disclosure due to natural disasters
and environmental hazards.

to
manage logical and physical
access to personal information,
including hard copy, archival,
and backup copies.
log and monitor access to
prevent the unauthorized or
accidental destruction or loss of
investigate breaches and
attempts to gain unauthorized
access.
communicate investigation
results to the appropriate
designated privacy executive.
maintain physical control over
the distribution of reports
containing personal information.
securely dispose of waste
containing confidential
information (for example,
shredding).
Physical safeguards may include the

use of locked file cabinets, card
access systems, physical keys, sign in
logs, and other techniques to control
access to offices, data centers, and
other locations in which personal
information is processed or stored.
Management maintains measures to

protect against environmental factors
(for example, fire, flood, dust, power
failure, and excessive heat and
humidity) based on its risk
assessment. The entitys controlled
Some regulations, such as those in

the EU Directive, also require that
personal information is protected
against unlawful destruction,
accidental loss, natural disasters, and
environmental hazards, in addition to
Ref.

Procedures
areas are protected against fire using
both smoke detectors and a fire
suppression system.
accidental disclosure.
In addition, the entity maintains

physical and other safeguards to
prevent accidental disclosure of
personal information in the event of
an environmental incident.
8.2.5
Transmitted Personal Information

Personal information is protected
when transmitted by mail or other
physical means. Personal information
collected and transmitted over the
Internet, over public and other
nonsecure networks, and wireless
networks is protected by deploying
industry standard encryption
technology for transferring and
receiving personal information.

to
define minimum levels of
encryption and controls.
employ industry standard
encryption technology, for
example, 128-bit Transport
Layer Security (TLS), over VPNs,
for transferring and receiving
approve external network
connections.
protect personal information in
both hardcopy and electronic
forms sent by mail, courier, or
other physical means.
encrypt personal information
collected and transmitted
wirelessly and protect wireless
networks from unauthorized
access.

HIPAA) have specific provisions for
the electronic transmission and
authentication of signatures with
respect to health information records
(that is, associated with the standard
transactions).
Some credit card vendors have issued
minimum requirements for protecting
cardholder data, including the
requirement to use encryption
techniques for credit card and
transaction related data in
transmission and in storage.
As technology, market, and
regulatory conditions evolve, new
measures may become necessary to
meet acceptable levels of protection
(for example, 128-bit secure TLS,
including user IDs and passwords).
Voice transmission from wireless
devices (for example, cell phones) of
Ref.

Procedures
personal information may not be
encrypted.
8.2.6
Personal Information on Portable

Media
Personal information stored on
portable media or devices is protected
from unauthorized access.
Policies and procedures prohibit the

storage of personal information on
portable media or devices unless a
business need exists and such
storage is approved by management.
Policies, systems, and procedures are
in place to protect personal
information accessed or stored in
manners such as using the following:
Laptop computers, PDAs, smartphones and similar devices
Computers and other devices
used by employees while, for
example, traveling and working
at home
USB drives, CDs and DVDs,
magnetic tape, or other portable
media
Such information is encrypted,
password protected, physically
protected, and subject to the entitys
access, retention, and destruction
policies.
Controls exist over creation, transfer,
storage, and disposal of media
containing personal information used
for backup and recovery.
Procedures exist to report loss or
potential misuse of media containing
Consideration should be given to the

protection needed for any personal
information provided to, for example,
regulators and auditors.
Ref.

Procedures
Upon termination of employees or
contractors, procedures provide for
the return or destruction of portable
media and devices used to access and
store personal information, and of
printed and other copies of such
information.
8.2.7
Testing Security Safeguards

Tests of the effectiveness of the key
administrative, technical, and physical
safeguards protecting personal
information are conducted at least
annually.

to
regularly test the effectiveness of
the key administrative, technical,
and physical safeguards
protecting personal information.
periodically undertake
independent audits of security
controls using either internal or
external auditors.
test card access systems and
other physical security devices at
least annually.
document and test disaster
recovery and contingency plans
at least annually to ensure their
viability.
periodically undertake threat and
vulnerability testing, including
security penetration and Web
vulnerability and resilience.
make appropriate modifications
to security policies and
procedures on a periodic basis,
taking into consideration the
results of tests performed and
The frequency and nature of the

testing of security safeguards will
vary with the entitys size and
complexity, the nature and scope of
its activities, and the sensitivity of
Some security regulations (for
example, GLBA-related rules for
safeguarding information) require an
entity to
conduct regular tests of key
controls, systems, and
procedures by independent third
parties or by staff independent of
those that develop or maintain
security (or at least have these
independent parties review
results of testing).
assess and possibly adjust its
information security at least
annually.
Ref.

Procedures
new and changing threats and

vulnerabilities.
periodically report the results of
security testing to management.
Copyright 2009 by
Quality
Ref.
9.0
9.1
9.1.0
Quality Criteria

Procedures
Additional Consideration
The entity maintains accurate, complete, and relevant personal information for the purposes identified in the
notice.
Privacy Policies
the quality of personal information.
9.1.1
Individuals are informed that they are
responsible for providing the entity
with accurate and complete personal
information, and for contacting the
entity if correction of such information
is required.
9.2
9.2.1

Accuracy and Completeness of
Personal information is accurate and
complete for the purposes for which it
is to be used.
The entitys privacy notice explains

that personal information needs to be
kept accurate and complete only
when the individual has an ongoing
relationship with the entity.

to
edit and validate personal
information as it is collected,
created, maintained, and
updated.
record the date when the
personal information is obtained
or updated.
specify when the personal
information is no longer valid.
specify when and how the
personal information is to be
updated and the source for the
update (for example, annual
Ref.
Quality Criteria

Procedures
reconfirmation of information
held and methods for individuals
to proactively update personal
information).
indicate how to verify the
accuracy and completeness of
personal information obtained
directly from an individual,
received from a third party (see
4.2.3, Collection From Third
Parties), or disclosed to a third
party (see 7.2.2, Protection of
Personal Information).
ensure personal information used
on an ongoing basis is
sufficiently accurate and
complete to make decisions,
unless clear limits exist for the
need for accuracy.
ensure personal information is
not routinely updated unless
such a process is necessary to
fulfill the purposes for which it is
to be used.
The entity undertakes periodic

assessments to check the accuracy of
personal information records and to
correct them, as necessary, to fulfill
the stated purpose.
9.2.2
Relevance of Personal
Information
Personal information is relevant to
the purposes for which it is to be

to
ensure personal information is
sufficiently relevant for the
Ref.
Quality Criteria

Procedures
used.
purposes for which it is to be

used and to minimize the
possibility that inappropriate
information is used to make
business decisions about the
individual.
periodically assess the relevance
of personal information records
and to correct them, as
necessary, to minimize the use
of inappropriate data for decision
making.
Copyright 2009 by
Monitoring and Enforcement

Ref.
10.0
10.1
10.1.0

Criteria

Procedures
The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy
related inquiries, complaints and disputes.
Privacy Policies
the monitoring and enforcement of
privacy policies and procedures.
10.1.1
Individuals are informed about how to
contact the entity with inquiries,
complaints and disputes.
10.2
10.2.1

Inquiry, Complaint, and Dispute
Process
A process is in place to address
inquiries, complaints, and disputes.

describes how individuals can
contact the entity with
complaints (for example, via an
e-mail link to the entitys Web
site or a telephone number).
provides relevant contact
information to which the
individual can direct complaints
(for example, name, telephone
number, mailing address, and email address of the individual or
office responsible for handling
complaints).
The corporate privacy officer or other

designated individual is authorized to
address privacy related complaints,
disputes, and other problems.
that allow for
procedures to be followed in
Ref.

Criteria

Procedures
10.2.2
Dispute Resolution and Recourse

Each complaint is addressed, and the
resolution is documented and
communicated to the individual.
communicating and resolving

complaints about the entity.
action that will be taken with
respect to the disputed
information until the complaint is
satisfactorily resolved.
remedies to be available in case
of a breach of personal
information and how to
communicate this information to
an individual.
recourse and a formal escalation
process to be in place to review
and approve any recourse
offered to individuals.
contact information and
procedures to be followed with
any designated third party
dispute resolution or similar
service (if offered).
The entity has a formally documented

process in place to
train employees responsible for
handling individuals complaints
and disputes about the resolution
and escalation processes.
document and respond to all
complaints in a timely manner.
periodically review unresolved
disputes and complaints to
ensure they are resolved in a
timely manner.
escalate unresolved complaints
and disputes for review by
Some regulations (for example HIPAA

and COPPA) have specific procedures
and requirements.
Some laws (for example, PIPEDA)
permit escalation through the court
system up to the most senior court.
Ref.

Criteria

Procedures
management.
identify trends and the potential
need to change the entitys
privacy policies and procedures.
use specified independent thirdparty dispute resolution services
or other processes mandated by
regulatory bodies in the event
the individual is not satisfied with
the entity's proposed resolution,
together with a commitment
from such third parties to handle
such recourses.
If the entity offers a third-party

dispute resolution process for
complaints that cannot be resolved
directly with the entity, an
explanation is provided about how an
individual can use that process.
10.2.3
Compliance Review
Compliance with privacy policies and
procedures, commitments and
applicable laws, regulations, servicelevel agreements, and other contracts
is reviewed and documented, and the
results of such reviews are reported
to management. If problems are
identified, remediation plans are
developed and implemented.

to
annually review compliance with
privacy policies and procedures,
commitments and applicable
laws, regulations, service-level
agreements, standards adopted
by the entity, and other
contracts.
document periodic reviews, for
example, internal audit plans,
audit reports, compliance
checklists, and management sign
offs.
In addition to legal, regulatory and

contractual requirements, some
entities may elect to comply with
certain standards, such as those
published by ISO, or may be required
to comply with certain standards,
such as those published by the
payment card industry, as a condition
of doing business.
Ref.

Criteria

Procedures
10.2.4
Instances of Noncompliance
Instances of noncompliance with
privacy policies and procedures are
documented and reported and, if
needed, corrective and disciplinary
measures are taken on a timely basis.
report the results of the

compliance review and
recommendations for
improvement to management,
and implement a remediation
plan.
monitor the resolution of issues
and vulnerabilities noted in the
compliance review to ensure that
appropriate corrective action is
taken on a timely basis (that is,
privacy policies and procedures
are revised, as necessary).

to
notify employees of the need to
report privacy breaches and
security vulnerabilities in a
timely manner.
inform employees of the
appropriate channels to report
security vulnerabilities and
privacy breaches.
document instances of
noncompliance with privacy
monitor the resolution of security
vulnerabilities and privacy
breaches to ensure appropriate
corrective measures are taken on
a timely basis.
discipline employees and others,
as appropriate, who cause
privacy incidents or breaches.
Ref.

Criteria

Procedures
10.2.5
Ongoing Monitoring
Ongoing procedures are performed
for monitoring the effectiveness of
controls over personal information,
based on a risk assessment [1.2.4],
and for taking timely corrective
actions where necessary.
The
mitigate, to the extent

practicable, any harm caused by
the use or disclosure of personal
information by the third party in
violation of the entitys privacy
policies and procedures (for
example, notify individuals
affected, attempt to recover
information disclosed to others,
void affected account numbers
and reissue new numbers).
identify trends that may require
revisions to privacy policies and
procedures.
entity uses the following:
Control reports
Trend analysis
Training attendance and
evaluations
Complaint resolutions
Regular internal reviews
Internal audit reports
Independent audit reports
covering controls at service
organizations
Other evidence of control
effectiveness
The selection of controls to be

monitored, and the frequency with
which they are monitored are based
on the sensitivity of the information
and the risks of possible exposure of
Guidance on Monitoring Internal

Control Systems, published by COSO
(the Committee of Sponsoring
Organizations of the Treadway
Commission), provides helpful
guidance for monitoring the
effectiveness of controls.
Ref.

Criteria

Procedures
the information.
Examples of such controls are as
follows:
Policies require that all

employees take initial privacy
training within 30 days of
employment. Ongoing
monitoring activities would
include a review of human
resource files of selected
employees to determine that
they contain the appropriate
evidence of course completion.
Policies require that whenever an
employee changes job
responsibilities or is terminated,
such employees access to
personal information be reviewed
and appropriately modified or
terminated within 24 hours (or
immediately in the case of
employee termination). This is
controlled by an automated
process within the human
resource system which produces
a report of employee status
changes, which requires
supervisor action to avoid
automatic termination of access.
This is monitored by the security
group which receives copies of
these reports and the related
Ref.

Criteria

Procedures
supervisor actions.
Policies state that confirmation of
a privacy-related complaint is
provided to the complainant
within 72 hours, and if not
resolved within 10 working days,
then the issue is escalated to the
CPO. The control is a log used to
record privacy complaints,
including complaint date, and
subsequent activities through to
resolution. The monitoring
activity is the monthly review of
such logs for consistency with
this policy.
Copyright 2009 by

American Institute of Certified Public Accountants - Generally Accepted Privacy Principles - 2009

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

American Institute of Certified Public Accountants - Generally Accepted Privacy Principles - 2009

Enviado por

Direitos autorais:

Formatos disponíveis

Generally Accepted Privacy Principles and Criteria

Illustrative Controls and

Privacy policies are documented in

Privacy policies (as used herein)

Responsibility and Accountability

Illustrative Controls and

to its privacy policies are

The entity assigns responsibility for

The individual identified as being

Illustrative Controls and

compliance and initiating action

Procedures and Controls

Consistency of Privacy Policies

Corporate counsel or the legal

The entity has both an information

Privacy policies and procedures are

Illustrative Controls and

the related processes, systems, and

identifies and classifies

A process is in place to periodically

Ideally, the privacy risk assessment

Illustrative Controls and

Consistency of Commitments With

Both management and the legal

Infrastructure and Systems

The following are used for addressing

The use of personal information in

Some jurisdictions prohibit the use of

Illustrative Controls and

regression testing to ensure that

The IT function maintains a listing of

Illustrative Controls and

Where computerized systems are

Privacy Incident and Breach

A formal, comprehensive privacy

Some entities may adopt a breach

employees or third parties

Illustrative Controls and

breach team. Incidents and

Illustrative Controls and

Illustrative Controls and

Management annually reviews the

The qualifications of internal

Privacy Awareness and Training

An interactive online privacy and

Illustrative Controls and

In-depth training is provided which

Changes in Regulatory and

The entity has an ongoing process in

Ideally, these procedures would be

Illustrative Controls and

Contracts, including service-level

Illustrative Controls and

The entitys privacy notice

Notice also may describe situations in

Procedures and Controls

Illustrative Controls and

The privacy notice is

See 3.2.2, Consent for New Purposes

In addition, the entity

Some regulatory requirements

Illustrative Controls and

Entities and Activities Covered

The privacy notice describes the